[Samba] smbclient works, mount.cifs fails NT_STATUS_LOGON_FAILURE in Samba 4.8.3
Jordan Castillo
jordantcastillo at gmail.com
Tue Jan 22 21:43:33 UTC 2019
Hello,
I am attempting to debug an issue with my Samba configuration. It has been
working fine, but we recently updated Samba from 4.6.x to 4.8.3 and are now
seeing some issues authenticating.
Most of our servers are still working fine after the upgrade, but one
server is giving us issues. A little more environment info: The server is
running Centos 7.1. Windows clients can connect OK. We are using sssd
server-side to connect to Active Directory for Windows auth. Linux and OS X
clients are encountering issues mounting the smb share directly, although
this was working correctly prior to updating sssd and samba.
I am working on a Fedora 28 workstation. When I attempt to connect to the
share with smbclient using this command:
`smbclient //server.domain.com/SHARED -U DOMAIN.COM\\jsmith`
I enter my password, it works and appears to auth with kerberos:
```
[2019/01/22 13:23:53.850746, 3]
../auth/gensec/gensec_start.c:977(gensec_register)
GENSEC backend 'gssapi_spnego' registered
[2019/01/22 13:23:53.850783, 3]
../auth/gensec/gensec_start.c:977(gensec_register)
GENSEC backend 'gssapi_krb5' registered
[2019/01/22 13:23:53.850808, 3]
../auth/gensec/gensec_start.c:977(gensec_register)
GENSEC backend 'gssapi_krb5_sasl' registered
[2019/01/22 13:23:53.850819, 3]
../auth/gensec/gensec_start.c:977(gensec_register)
GENSEC backend 'spnego' registered
[2019/01/22 13:23:53.850836, 3]
../auth/gensec/gensec_start.c:977(gensec_register)
GENSEC backend 'schannel' registered
[2019/01/22 13:23:53.850846, 3]
../auth/gensec/gensec_start.c:977(gensec_register)
GENSEC backend 'naclrpc_as_system' registered
[2019/01/22 13:23:53.850855, 3]
../auth/gensec/gensec_start.c:977(gensec_register)
GENSEC backend 'sasl-EXTERNAL' registered
[2019/01/22 13:23:53.850870, 3]
../auth/gensec/gensec_start.c:977(gensec_register)
GENSEC backend 'ntlmssp' registered
[2019/01/22 13:23:53.850919, 3]
../auth/gensec/gensec_start.c:977(gensec_register)
GENSEC backend 'ntlmssp_resume_ccache' registered
[2019/01/22 13:23:53.850935, 3]
../auth/gensec/gensec_start.c:977(gensec_register)
GENSEC backend 'http_basic' registered
[2019/01/22 13:23:53.850953, 3]
../auth/gensec/gensec_start.c:977(gensec_register)
GENSEC backend 'http_ntlm' registered
[2019/01/22 13:23:53.850962, 3]
../auth/gensec/gensec_start.c:977(gensec_register)
GENSEC backend 'http_negotiate' registered
[2019/01/22 13:23:56.488705, 3]
../auth/kerberos/kerberos_pac.c:413(kerberos_decode_pac)
Found account name from PAC: jsmith [John Smith]
[2019/01/22 13:23:56.488742, 3]
../source3/auth/user_krb5.c:51(get_user_from_kerberos_info)
Kerberos ticket principal name is [jsmith at DOMAIN.COM]
```
When I attempt to mount the share with mount using this command:
`sudo mount -v -t cifs -o username=jsmith,domain=domain.com //
server.domain.com/SHARED SHARED`
I get hit with 'mount error(13): Permission denied' client-side and see
this output in the server's log:
```
[2019/01/22 13:26:49.466127, 3]
../auth/gensec/gensec_start.c:977(gensec_register)
GENSEC backend 'gssapi_spnego' registered
[2019/01/22 13:26:49.466161, 3]
../auth/gensec/gensec_start.c:977(gensec_register)
GENSEC backend 'gssapi_krb5' registered
[2019/01/22 13:26:49.466177, 3]
../auth/gensec/gensec_start.c:977(gensec_register)
GENSEC backend 'gssapi_krb5_sasl' registered
[2019/01/22 13:26:49.466249, 3]
../auth/gensec/gensec_start.c:977(gensec_register)
GENSEC backend 'spnego' registered
[2019/01/22 13:26:49.466274, 3]
../auth/gensec/gensec_start.c:977(gensec_register)
GENSEC backend 'schannel' registered
[2019/01/22 13:26:49.466341, 3]
../auth/gensec/gensec_start.c:977(gensec_register)
GENSEC backend 'naclrpc_as_system' registered
[2019/01/22 13:26:49.466353, 3]
../auth/gensec/gensec_start.c:977(gensec_register)
GENSEC backend 'sasl-EXTERNAL' registered
[2019/01/22 13:26:49.466403, 3]
../auth/gensec/gensec_start.c:977(gensec_register)
GENSEC backend 'ntlmssp' registered
[2019/01/22 13:26:49.466411, 3]
../auth/gensec/gensec_start.c:977(gensec_register)
GENSEC backend 'ntlmssp_resume_ccache' registered
[2019/01/22 13:26:49.466420, 3]
../auth/gensec/gensec_start.c:977(gensec_register)
GENSEC backend 'http_basic' registered
[2019/01/22 13:26:49.466430, 3]
../auth/gensec/gensec_start.c:977(gensec_register)
GENSEC backend 'http_ntlm' registered
[2019/01/22 13:26:49.466439, 3]
../auth/gensec/gensec_start.c:977(gensec_register)
GENSEC backend 'http_negotiate' registered
[2019/01/22 13:26:49.469535, 3]
../auth/ntlmssp/ntlmssp_util.c:72(debug_ntlmssp_flags)
Got NTLMSSP neg_flags=0xe0080225
NTLMSSP_NEGOTIATE_UNICODE
NTLMSSP_REQUEST_TARGET
NTLMSSP_NEGOTIATE_SEAL
NTLMSSP_NEGOTIATE_NTLM
NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
NTLMSSP_NEGOTIATE_128
NTLMSSP_NEGOTIATE_KEY_EXCH
NTLMSSP_NEGOTIATE_56
[2019/01/22 13:26:49.469907, 3]
../auth/ntlmssp/ntlmssp_server.c:552(ntlmssp_server_preauth)
Got user=[jsmith] domain=[domain.com] workstation=[] len1=0 len2=168
[2019/01/22 13:26:49.470215, 2]
../source3/param/loadparm.c:2799(lp_do_section)
Processing section "[rhome]"
[2019/01/22 13:26:49.470263, 2]
../source3/param/loadparm.c:2799(lp_do_section)
Processing section "[it_home]"
[2019/01/22 13:26:49.470297, 2]
../source3/param/loadparm.c:2799(lp_do_section)
Processing section "[vpnhome]"
[2019/01/22 13:26:49.470357, 2]
../source3/param/loadparm.c:2799(lp_do_section)
Processing section "[shared]"
[2019/01/22 13:26:49.470412, 2]
../source3/param/loadparm.c:2799(lp_do_section)
Processing section "[dev-share]"
[2019/01/22 13:26:49.470457, 2]
../source3/param/loadparm.c:2799(lp_do_section)
Processing section "[scans]"
[2019/01/22 13:26:49.470528, 3]
../source3/auth/auth.c:189(auth_check_ntlm_password)
check_ntlm_password: Checking password for unmapped user
[domain.com]\[jsmith]@[]
with the new password interface
[2019/01/22 13:26:49.470538, 3]
../source3/auth/auth.c:192(auth_check_ntlm_password)
check_ntlm_password: mapped user is: [domain.com]\[jsmith]@[]
[2019/01/22 13:26:49.470582, 2]
../source3/auth/auth.c:332(auth_check_ntlm_password)
check_ntlm_password: Authentication for user [jsmith] -> [jsmith] FAILED
with error NT_STATUS_LOGON_FAILURE, authoritative=1
[2019/01/22 13:26:49.470619, 2]
../auth/auth_log.c:760(log_authentication_event_human_readable)
Auth: [SMB2,(null)] user [domain.com]\[jsmith] at [Tue, 22 Jan 2019
13:26:49.470605 PST] with [NTLMv2] status [NT_STATUS_LOGON_FAILURE]
workstation [] remote host [ipv4:192.168.10.100:55024] mapped to
[domain.com]\[jsmith].
local host [ipv4:192.168.20.200:445]
```
Here is my smb.conf file:
```
[global]
min protocol = SMB2
workgroup = DOMAIN
realm = DOMAIN.COM
security = ads
password server = ad1.domain.com ad2.domain.com
kerberos method = secrets and keytab
template shell = /bin/bash
encrypt passwords = yes
log file = /var/log/samba/log.%U
log level = 2 auth:4
idmap config * : backend = tdb
idmap config * : range = 500-9999999999
idmap config DOMAIN.COM:default = true
idmap config DOMAIN.COM:backend = ad
idmap config DOMAIN.COM:range = 500-9999999999
load printers = no
printing = bsd
printcap name = /dev/null
disable spoolss = yes
```
In case it helps, sssd.conf:
```
[sssd]
domains = domain.com
config_file_version = 2
services = nss, pam
[domain/domain.com]
debug_level = 0x1310
ad_domain = domain.com
ad_server = ad1.domain.com
dyndns_update = false
krb5_realm = DOMAIN.COM
realmd_tags = manages-system joined-with-samba
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
ldap_id_mapping = False
use_fully_qualified_names = False
fallback_homedir = /home/%u
```
Can anyone help me figure out what might be wrong with my config that is
causing a different auth flow for smbclient vs. mounting the share
directly? It appears that mounting it is skipping krb5 auth and/or causing
the username to not be formatted correctly. Would appreciate any insight
anyone can offer.
More information about the samba
mailing list